Shulou(Shulou.com)06/01 Report--

For file upload we are all very familiar, after all, file upload is one of the important ways to get webshell, theoretical things refer to my other summary article "talking about file analysis and upload loopholes", here is mainly to supplement the theoretical content-filetype loopholes!

Filetype vulnerabilities are mainly targeted at content-type fields and can be exploited in two ways:

1. Upload an image first, then change content-type:p_w_picpath/jpeg to content-type:text/asp, then truncate the filename by 00, and replace the content of the image with a sentence * *.

2. Use burp to grab the package directly. After you get the data uploaded by post, change Content-Type: text/plain to Content-Type: p_w_picpath/gif.

Here is a simple use of filetype controllable for arbitrary file upload, encountered before in ctf, but thought in the real environment should not appear, but unfortunately I encountered!

Experimental environment: asp,iis7.5,windows 2008 R2

When we find an upload point, we upload a sentence horse of asp, and the corresponding http request packet is as follows, as shown in figure 1:

Figure 1 upload failed

At this time, we failed to upload, saying that the extension is illegal (it should be limited by whitelist), but the filetype in the http request packet is *. Shouldn't all be supported? At this point, we use various ways to upload, directory parsing (you can create uploaded directory names arbitrarily by trying), 00 truncation, left-to-right parsing, left-to-right parsing. And they all failed!

Originally thought that there is no way, because by downloading the configuration file web.config found that the whitelist restrictions, as shown in figure 2, there should be no way!

Figure 2 web.config

Finally, I spiritually found (blind cat meets dead mouse) directly changed the * of filetype to asp, and then uploaded it successfully, as shown in figure 3.

Figure 3 modified filetype uploaded successfully

Then we visit the directory to see if the upload is really successful and whether anyone has been killed. As shown in figure 4, the upload is indeed successful.

Figure 4 one sentence can be accessed normally

Finally, a webshell is successfully obtained by connecting with a kitchen knife, as shown in figure 5.

Figure 5 successful acquisition of webshell

Summary:

The main purpose of this article is to record some of the usual experience and skills, because it is often limited by fixed thinking, I often think of taking a chance at the end!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.